2017

TECHNOLOGY

When ‘Things’ Attack

Cyberattacks highlight security risks of a connected society

Tens of millions of
electronic devices were hijacked in October by unknown hackers and used to shut
down large portions of the internet, affecting companies such as Twitter,
Netflix, PayPal and Amazon.1-3

Using devices such as wristwatches,
home-monitoring cameras and children’s toys, these attacks surfaced security
vulnerabilities in the Internet of Things (IoT)—a developing technology
many organizations see as a gateway to a brave new world of process
efficiencies, cost savings and revenue generation.

Proponents of the IoT, which refers to objects
that are connected to the internet, cite benefits that touch almost every
industry. These connected objects could be water pipes that can automatically
report leaks, medical devices that remotely analyze patients’ vital signs and
report them to physicians, or tags and sensors used in logistics that shipping
organizations estimate could save global supply chains $1.9 billion.4, 5

Experts, however, worry that the push to bring
more connected devices to market is expanding the risk of more attacks. Without
regulation to force device-makers to build better security into their products,
a more connected society could strengthen hackers’ abilities to spread
malicious software (also known as malware). These security loopholes could lead
to future internet disruptions, stolen data and other threats that could risk
consumer’s safety and cost organizations millions of dollars.

A security virus

October’s historic
cyberattack relied on malware called Mirai that controlled millions of devices
and spread itself like a virus. Mirai scanned the web for connected devices
protected by weak or default passwords and forced those compromised products to
search for more vulnerable devices. This created a network for hackers to carry
out a distributed denial of service (DDoS) attack—jamming connectivity
services from the internet infrastructure company Dyn and affecting services in
the United States, Europe and Asia.6

Newer devices from low-end manufacturers that
make cheap products without regard for security were among the vulnerable
products, said Ben Herzberg, security group research manager at the
cybersecurity company Imperva. Because some of these devices can’t receive
updates against newly found security risks or have default password protecting
them, they will continue to be exposed to attacks such as Mirai.

The expansion of the IoT market is speeding up.
According to the Consumer Technology Association, 170 million people will
receive IoT-related gifts this holiday season, and there are no regulations
forcing device-makers to improve their products’ security.9

"It would be great if we could say, ‘If you want
to produce a device connected to the internet, you must go through basic
security checks.’ But we don’t have that right now," Herzberg said. "These
attacks are not going away."10

Maneesha Mithal, an associate director with the
U.S. Federal Trade Commission, said IoT security is a "huge priority" and
"companies are not investing as much time and effort as they should" in this
area.11

Disconnected auto security

The rise of devices such as smartphones, tablets and connected wearable
electronics have weaved internet connections into nearly every part of society.
For many organizations, this expansion offers great potential for improving and
streamlining how they do business.

Consumer demands are pressuring automakers to add
connected features to vehicles, and three-quarters of new vehicles could have
internet connections by 2020. Renault and Nissan, for example, announced in
October they would hire hundreds of software engineers to focus on developing
vehicles with capabilities similar to those of smartphones—such as being
able to receive over-the-air updates or information about areas in which
they’re traveling.12, 13

Creating virtual assistants is another promise of
connected cars. These are systems that could offer a driver advice for the most
fuel-efficient route or provide post-trip feedback about his or her driving.
This feedback could reduce emissions by 5 to 20%, according to the European
Automobile Manufacturers’ Association, but these benefits come with risks.14

In 2015, hackers Charlie Miller and Chris Valasek
demonstrated their ability to remotely, through its internet connection,
control a Jeep Cherokee driving on the highway. Using a laptop, they brought
the Jeep to a stop.15

"If consumers don’t realize this is an issue,
they should, and they should start complaining to carmakers," Miller said.
"This might be the kind of software bug most likely to kill someone."16

U.S. regulators took notice of the auto
industry’s technology potentially outpacing its ability to protect consumers,
and in October they issued cybersecurity guidelines to provide a roadmap for
the industry to show how it will protect connected vehicles from attack.17

Healthcare vulnerabilities

For healthcare, the IoT
could significantly reduce patients’ cost of care and improve drug management.
On average, it costs a patient $1,700 for a one-day hospital stay, but sending
them home with connected body monitors allows doctors to still receive
observation data and prevents a need for some inpatient care.18

By transferring data to a mobile app,
pharmaceutical companies also are developing "smart" inhalers, which could
track patients’ use and remind them to take the next dose. This data also could
be sent to physicians and drug manufacturers for analysis.19

Implanted medical devices, such as those made by
St. Jude Medical Inc.’s Merlin@home, use external transmitters to monitor an
implant while a patient sleeps and sends information to a patient care
network—avoiding a visit to the doctor.

Recently,
Muddy Waters Research reported it was able to gain access to this device and to
turn off functions or send shocks that could kill patients. St. Jude Medical
denied such an attack was possible. While this highlights one of the worst
fears surrounding IoT hacking in healthcare, data breaches also are a major
concern, considering the amount of personal information that’s available on
healthcare systems.20

"When you have
these IoT attacks, not only can it disrupt services and access to information,
if those devices are connected to the hospital network, there’s nothing to say
they can’t focus on hospitals and create a DDoS," said Mac McMillan, cofounder
and CEO of the healthcare IT consulting firm CynergisTek.21

Changing strategies necessary

According to a recent
survey of 2,000 security officers from organizations worldwide, three-quarters
of executives had confidence in their security strategies. The survey report,
however, also found one-third of targeted attempts to breach organizations’
cyber securities succeed despite organizations spending about $85 billion to
protect their data.22

According to respondents, it also can take months
to identify breaches, and 98% are reported by employees outside the security
team. It’s estimated data breaches collectively cost organizations $2 trillion.
That figure could go up to $90 trillion by 2030.23

"There needs to be a fundamentally different
approach to security protection starting with identifying and prioritizing key
company assets across the entire value chain," said Kevin Richards, managing
director of Accenture Security North America.24

Over the past two years, there was a 70% increase
in the number of IoT devices, and experts say there will be more than 50
billion devices online by 2020.25 Michael Walker, a program manager
and computer security expert at the Pentagon’s advanced research arm said, "If
we want to put networked technologies into more and more things, we also have
to find a way to make them safer … It’s a challenge for civilization."26

QFD Pioneer Dies

Yoji Akao, known for creating quality function deployment (QFD) and
developing the hoshin kanri strategic planning method, has died. He was 88.

Akao, who was
named an honorary member of ASQ in November 2009, taught at Yamanashi
University in Kofu, Japan, and Tamagawa University in Machida, Japan, where he
eventually held the position of dean of the faculty of engineering. After
retirement, he accepted a position as professor of management at the Asahi
University School of Business Administration in Mizuho, Japan.

Akao was awarded
ASQ’s Distinguished Service Medal in 2001 and the Shainin Medal in 2006. In
1978, he was awarded the Union of Japanese Scientists and Engineers Deming
Prize for Individuals.

ASQ News

STATISTICS
SCHOLARSHIP OPENS Applications for the 2017-18 Ellis R.
Ott Scholarship are now available through ASQ’s Statistics Division. The $7,500
scholarships are for students in master’s degree or higher programs with
concentrations in applied statistics or quality management. The 2016-17
scholarship recipients were: Andrew Walter of the University of Kansas and
Matthew Keefe of Virginia Tech. For more information and an application form,
visit http://asq.org/statistics/about/awards-statistics.html.
Applications are due April 1.

2017 RAMS
SET The Reliability Division’s annual
Reliability and Maintainability Symposium (RAMS) will be Jan. 23-26, 2017, in
Orlando, FL. Visit www.rams.org
for more details about the event.

Short Runs

THE
ASSOCIATION FOR
Manufacturing Excellence (AME) recently announced five recipients of its AME
2016 Excellence Award. They are: Accuride de Mexico in Monterrey, Mexico;
Goodyear Innovation Center in Akron, OH; Littelfuse in Wuxi, China; MillerCoors
Trenton Brewery in Trenton, OH; and O.C. Tanner in Salt Lake City. For more
about the award and the recipients, visit http://tinyurl.com/ame-award-recip.

THE 11TH
ANNUAL
Massachusetts Institute of Technology Sloan Sports Analytics Conference will be
held March 3-4, 2017, in Boston. For details, visit http://tinyurl.com/mit-sports-conf.

THE BALDRIGE
PERFORMANCE
Excellence Program’s 2017-2018 Baldrige Excellence Framework
(Business/Nonprofit) booklet will be released this month. The education and
healthcare booklets will follow in mid-January. All three versions include the Baldrige
Criteria for Performance Excellence, core
values and concepts, and guidelines for evaluating your organization’s
processes and results.

THE BALDRIGE
PROGRAM is
seeking qualified candidates for the 2017 Baldrige Executive Fellows Program, a
one-year, leadership-development experience to facilitate dialogue on all
aspects of leadership and how it relates to visionary focus, strategy,
operational intelligence, engagement and sustainability. The deadline to submit
applications is Dec. 15. For more information, visit http://tinyurl.com/baldrige-fellows.

THE 28TH
ANNUAL National
Forum on Quality Improvement in Healthcare is being held Dec. 4-7 in Orlando,
FL. The event is being organized by the Institute for Healthcare Improvement.
For more information, visit www.ihi.org/forum.

THE LEAPFROG
GROUP, a
national patient safety watchdog, released its hospital safety grades for more
than 2,600 U.S. hospitals. The program assigns A, B, C, D and F letter grades
bi-annually and has become a standard measurement of patient safety in the
United States. For more information, visit www.hospitalsafetygrade.org.

A CALL FOR
PRESENTATIONS has been issued
by GS1 US for its annual conference June 19-22, 2017, in Las Vegas. GS1 US is a
not-for-profit, nongovernmental organization that maintains global standards
for bar codes, radio frequency and other identification systems, data
synchronization and electronic information exchange. For more information,
visit http://tinyurl.com/gs1-need-speakers.

Who’s Who in Q

NAME: Tracy
Owens.

RESIDENCE:
Columbus, OH.

EDUCATION:
Master’s degree in international business from Seattle University.

INTRODUCTION TO
QUALITY: Negative experiences as a consumer drove Owens to start searching
for ways to uncover the root causes of errors and delays. In 1998, he moved to
a Black Belt position with his employer, Kenworth Truck Co., and learned how
lean and Six Sigma help personnel quickly investigate problems and make
lasting, positive improvements.

CURRENT JOB:
Director of continuous improvement at LexisNexis. Owens also is a volunteer
examiner at the Partnership for Excellence, the Baldrige program for Ohio,
Indiana and West Virginia.

PREVIOUS JOBS:
Owens served in the U.S. Army from 1988 to 1994 and was deployed to Operation
Desert Storm and Somalia. Owens said training for a job and putting your
training to the test in battle was incredibly rewarding.

ASQ ACTIVITIES:
Chair-elect of ASQ’s Innovation Division and engaged in planning the 2017
Innovation Conference, which will be held Oct. 13-15 in Dayton, OH.

Date in Quality History

QP looks back on a person or
event that made a difference in the history of quality.

Dec. 10, 1976

Harold F. Dodge, one of the principal architects of
the science of statistical quality control, died on this date.

Dodge was born in Lowell, MA, in 1893. He earned a
degree in electrical engineering from the Massachusetts Institute of Technology
in 1916, and a master’s degree in physics and math from Columbia University in
1922.

Dodge was a statistician at Bell Laboratories from
1917 to 1958. At Bell in the 1930s, Walter Shewhart introduced the theory of
using statistical methods to solve quality control problems. Dodge and a
colleague, Harry G. Romig, are credited with building on Shewhart’s statistical
process control concepts by introducing acceptance sampling methods.

The Dodge-Romig Sampling Inspection Tables have been
called Dodge’s most important work. During his tenure at Bell, he developed the
basic concepts of acceptance sampling, such as consumer risk, producer risk,
double sampling, lot tolerance percent defective and average outgoing quality
limit. He originated several types of acceptance sampling schemes, continuous
sampling plans, chain sampling plans and skip-lot sampling plans.

Dodge chaired the
ASQ Standards Committee for many years. He was the second recipient of ASQ’s
Shewhart Medal (1949), sixth recipient of the Grant Award (1972) and fifth
honorary member (1965). He also was a fellow and founding member.

Source

Correction

In "Diving Deeper" (October 2016, pp. 34-41), a table was mistakenly
omitted from the print version of the feature article. The web presentation of
the article, as well as the PDF versions of the article and the complete QP
issue, have been updated to include Table 2 at this article’s webpage at http://asq.org/quality-progress/2016/10/statistics/diving-deeper.html .